From 2502d79b6152b54aeb09a8a65d818cc9674f07fc Mon Sep 17 00:00:00 2001
From: Thomas Lenz <thomas.lenz@egiz.gv.at>
Date: Thu, 14 Feb 2019 13:40:30 +0100
Subject: update signature validation in SAML2 Redirect-Binding

---
 .../verification/PVPAuthRequestSignedRole.java     | 23 +++++++++++++++++-----
 1 file changed, 18 insertions(+), 5 deletions(-)

diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/PVPAuthRequestSignedRole.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/PVPAuthRequestSignedRole.java
index 6a5886a7..6d5fdff8 100644
--- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/PVPAuthRequestSignedRole.java
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/PVPAuthRequestSignedRole.java
@@ -26,6 +26,8 @@
  *******************************************************************************/
 package at.gv.egiz.eaaf.modules.pvp2.impl.verification;
 
+import java.util.List;
+
 import org.opensaml.common.binding.SAMLMessageContext;
 import org.opensaml.saml2.binding.security.SAML2AuthnRequestsSignedRule;
 import org.opensaml.ws.transport.http.HTTPInTransport;
@@ -41,13 +43,24 @@ public class PVPAuthRequestSignedRole extends SAML2AuthnRequestsSignedRule {
     protected boolean isMessageSigned(SAMLMessageContext messageContext) {        
         // This handles HTTP-Redirect and HTTP-POST-SimpleSign bindings.
         HTTPInTransport inTransport = (HTTPInTransport) messageContext.getInboundMessageTransport();
-        String sigParam = inTransport.getParameterValue("Signature");
-        boolean isSigned = !DatatypeHelper.isEmpty(sigParam);
         
-        String sigAlgParam = inTransport.getParameterValue("SigAlg");
-        boolean isSigAlgExists = !DatatypeHelper.isEmpty(sigAlgParam);
+        //Check signature parameter exists only once and is not empty 
+        List<String> sigParam = inTransport.getParameterValues("Signature");
+        boolean isValidSigned = sigParam.size() == 1 && !DatatypeHelper.isEmpty(sigParam.get(0));
+        
+        //Check signature-algorithm parameter exists only once and is not empty
+        List<String> sigAlgParam = inTransport.getParameterValues("SigAlg");
+        boolean isValidSigAlgExists = sigAlgParam.size() == 1 && !DatatypeHelper.isEmpty(sigAlgParam.get(0));
+        
+        //Check signature-content parameter exists only once and is not empty
+        List<String> samlReqParam = inTransport.getParameterValues("SAMLRequest");
+        List<String> samlRespParam = inTransport.getParameterValues("SAMLResponse");        
+        boolean isValidContent = ( ( samlReqParam.size() == 1 && !DatatypeHelper.isEmpty(samlReqParam.get(0)) )
+        							|| ( samlRespParam.size() == 1 && !DatatypeHelper.isEmpty(samlRespParam.get(0)) ) 
+        						 ) && !(samlReqParam.size() == 1 && samlRespParam.size() == 1)
+        		;
         
-        return isSigned && isSigAlgExists;
+        return isValidSigned && isValidSigAlgExists && isValidContent;
                
     }
 }
-- 
cgit v1.2.3